Channels

Services

Botnet uses hacked devices to scan the internet

A previously unknown hacker has undertaken a census of the web. To perform his "Internet Census 2012" he infected around 420,000 poorly protected embedded devices with what he describes as a harmless bot, named Carna. "Poorly protected" in this case means that either no login credentials were required or standard credentials such as "root:root" or "admin:admin" were able to gain entry.

In response to enquiries by The H's associates at heise Security, the hacker was not willing to divulge any information about his identity. CNET states that Gordon Lyon (Fyodor), the author of network scanning tool nmap, is behind the census. This may, however, be due to a misunderstanding. nmap was used for the census, but there is no evidence that Fyodor himself was behind the legally dubious project. It is legally dubious because the perpetrator uploaded between 46KB and 60KB (depending on processor architecture) of botnet software onto third party devices without obtaining the owner's prior consent.

This enabled the hacker to accelerate the scanning speed by a significant factor. In response to enquiries, the hacker confirmed that he did not obtain legal advice prior to carrying out his census. The unknown hacker has packed the results of the census into some fascinating graphics. He recorded every IP address which responded to one of 52 billion pings sent between June and October 2012. A total of 420 million IP addresses/devices responded to ping requests.

One of the GIF files displays ping queries over a 24 hour period on a world map
Source: Internet Census 2012

But it's another result from the census which is most interesting – the number of poorly secured network devices connected to the internet. The hacker states that he did not sniff around on intranets of which infected devices were members. In response to heise Security's enquiries, he writes that it would have been easy to add functionality for infiltrating intranets to the bot code.

He underlined his efforts to ensure that his bots did not cause any damage by noting that the scan was set to be performed with the lowest possible priority and that binaries were removed from devices when they were reset. Whilst the census was being undertaken, however, surrounding bots ensured that the bot code was reinstalled.

As well as the bot binary, the hacker also placed a README file on infected devices, explaining the purpose of the project and providing an email address for enquiries. The designated email address received only two messages, both from honeypot operators whose honeypots had been infected by the bot.